[Rspamd-Users] page.link spam not picked up by URIBLs

Sleddens, J.P.G. (Jeffry) j.p.g.sleddens at hr.nl
Mon Feb 22 21:24:27 UTC 2021 

Hi,

We are getting lots of spam with URLs in the page.link domain, but these 
mostly fly under the radar, especially of the URIBL checks, because the host 
part of the URL is chopped off. For example the following log of a mail being 
scanned that has the URL hxxps://bitcointraderofficial<dot>page<dot>link/8u31 
in it:

2021-02-22 21:18:01 #26175(normal) <181262>; multimap; multimap.lua:628: apply 
filter full for rule ABUSE_CH_URLHAUS: 
hxxps://bitcointraderofficial<dot>page<dot>link/8u31 -> 
hxxps://bitcointraderofficial<dot>page<dot>link/8u31
2021-02-22 21:18:01 #26175(normal) <181262>; multimap; multimap.lua:437: check 
value hxxps://bitcointraderofficial<dot>page<dot>link/8u31 for multimap 
ABUSE_CH_URLHAUS
2021-02-22 21:18:01 #26175(normal) <181262>; phishing; phishing.lua:156: try 
to resolve {bitcointraderofficial<dot>page.link, 8u31} -> 
6ni1gstxdme4rgt1dmhcp5yipetwoua1.phishtank.rspamd.com
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl DBL; 
resolve page.link -> page.link.dbl.spamhaus.org
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl 
SEM_URIBL_FRESH15_UNKNOWN; resolve page.link -> 
page.link.fresh15.spameatingmonkey.net
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl 
RSPAMD_URIBL; resolve page.link -> 
93d1iewb75qxmd6b3rm68mqqy6q4j3fp.uribl.rspamd.com
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl 
SEM_URIBL_UNKNOWN; resolve page.link -> page.link.uribl.spameatingmonkey.net
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl 
URIBL_MULTI; resolve page.link -> page.link._235630C0E3D0.df.uribl.com
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:837: rbl 
SURBL_MULTI; resolve page.link -> page.link.multi.surbl.org
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:235: DNS RESPONSE: 
label=page.link.dbl.spamhaus.org results=false error=no records with this name 
rbl=DBL
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:235: DNS RESPONSE: 
label=page.link._xxxxxxxxxx.df.uribl.com results=false error=no records with 
this name rbl=URIBL_MULTI
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:235: DNS RESPONSE: 
label=page.link.uribl.spameatingmonkey.net results=false error=no records with 
this name rbl=SEM_URIBL_UNKNOWN
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:235: DNS RESPONSE: 
label=page.link.fresh15.spameatingmonkey.net results=false error=no records 
with this name rbl=SEM_URIBL_FRESH15_UNKNOWN
2021-02-22 21:18:01 #26175(normal) <181262>; rbl; rbl.lua:235: DNS RESPONSE: 
label=page.link.multi.surbl.org results=false error=no records with this name 
rbl=SURBL_MULTI
2021-02-22 21:18:01 #26175(normal) <181262>; bayes; lua_stat.lua:835: added 
url token: #u:page.link

page.link is not listed on any URIBLs, but bitcointraderofficial.page.link is 
(for example bitcointraderofficial.page.link.multi.surbl.org has address 
127.0.0.64).


Is there a way to remedy this?  I see that the RBL module uses 
/usr/share/rspamd/effective_tld_names.dat to find URLs and it feels like 
page.link should be added to this list, but I'd rather not manually edit this 
file (as it says not to) and I do not see any other way to add TLD's.

With kind regards,
Jeffry Sleddens
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6836 bytes
Desc: not available
URL: <https://lists.rspamd.com/pipermail/users/attachments/20210222/b9b0b8b9/attachment.bin>

More information about the Users mailing list